Don’t be an unwilling accomplice to credit card fraud

by Neil Moncrief on May 12, 2009

A few years ago, my business partner and I learned a hard lesson about how crooks operate and what they’ll do to validate stolen credit card numbers. I was a co-owner of www.2BigFeet.com, an e-commerce business specializing in extreme size men’s shoes. Like most e-commerce businesses, we used a payment gateway to gather authorizations. And like most, we notified our customers within a few seconds whether or not their order was approved. At the time, we were using AVS to validate addresses, and we were careful to never ship suspicious orders without contacting the customer first. In short, we were doing everything right.

The problem occurred during our busiest time of the year. Our website, shopping cart, and gateway were set to automatically pre-authorize credit cards before we ever saw the orders. That kept us from having to deal with declined credit cards. One morning, we received a handful of orders for inexpensive items like socks. The orders came from Nigeria and were identical for the most part. AVS had flagged the orders, so when the “customer” didn’t reply to my emails, I suspected the orders were bogus and set them aside. We made a change in our gateway settings to automatically reject all future orders from Nigeria, and we continued going about our business. Over the next few days, hundreds more of these bogus orders were attempted. All were rejected, and all were ignored.

A couple of weeks later, our banker called to see what was wrong. Our checking account was in the negative! After asking the banker some questions, we realized none of our deposits (from our legitimate busy-season sales) had reached the bank since the first orders from Nigeria had arrived. After doing some research, we learned that credit card thieves will select websites that pre-authorize cards, and then use those websites as a tool to validate their stolen card numbers before selling them. (They didn’t want our socks, just our “service.”) To make a long and painful story short, our processor, Total Merchant Services, had noticed the flood of attempts being made against our website and had put a hold on all our deposits. Those deposits were from legitimate orders received during our busiest season of the year. TMS had 2 weeks’ worth of our sales, and they wouldn’t release it for six months!

In hindsight, we couldn’t have prevented the credit card thieves from placing orders on our website. But we could have (and should have) removed their incentive by turning off the pre-authorization feature when we first noticed the pattern. That would have inconvenienced us for a day or two, but it might have prevented our processor from taking action.

Here’s one more thing you should do if you ever experience this situation, or anything similar.Call your credit card processor and tell them about it. Processors have forgotten more about credit card fraud than you will ever know. You pay for their services, so don’t hesitate to call on them. And lastly, if your processor doesn’t bend over backwards to help you, find another processor.  I’d be happy to help you locate one!

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

Leave a Comment

Previous post:

Next post: